THE OFFICIAL BLOG OF THE SBS "DIVA"

So there has been this thread in several listserves between those that have embraced Vista and those that see Windows XP as what they embrace.  And invariably folks ask “what does Vista have that my clients want?”  Before we get my reasons listed here let’s get the elephants in the room satisfied.

It’s slower.

It’s bloated.

It doesn’t have anything my clients need or want.

It takes more RAM.

..and so on…..

In my opinion what the yes or no to Vista comes down to is good or bad experiences with hardware.  And I’m toying with the idea of starting a list of good Vista hardware configurations and bad ones as I’ve noticed a trend where some hardware is really good and some hardware isn’t so good.  I’ve been very happy with HP hardware.

Here are my observations regarding Vista.

First off only buy it on new hardware.  With all due respect to the folks that built the Vista hardware assessment toolkit so you can scan your network and see if you are ready to deploy Vista, don’t even think of deploying it to existing boxes.  Yes, I’m typing this blog post up on a several  year old Acer Travelmate C110 who’s video monitor can’t do Aero and it has 2 gigs of ram but it acts the same as it did with XP.  I fully expect to support a mixed network for the next few years.  I’ve also noticed a great deal of change between last year’s Vista quality hardware and this year’s.  I've not found it slower.

I have it running on a 2 year old Acer Travelmate C110 and it can't do Aero.  If your perception is that it's bloated... then turn off aero.  I consider 2 gigs of ram to be standard these days.  3 gigs better, 4 gigs even better and I'm still 32bit.  Throw a flash drive and I've seen it speed up as well.

Not running as admin.  So many times I keep hearing people say that “I’m running as admininistrator”.   And really, you are not. 

Read that very carefully.  It says “you think you are running with full administrator rights, but there’s still some places that impact more than one user that we still will ask your permission.  That means the root of the c drive is protected.  That other user’s folders are protected.

It’s bloated.  In my office I have an 8088 luggable computer.  On the green screen is burned into it the Lotus 123 we used back then.   I also have a DOS based Lacerte from 1986 that still runs.  However their user friendliness is for the birds.  One man’s bloat is another man’s GUI.  And if it’s so bloated why is it running like a champ on this laptop?  One thing that I would recommend even with new OEM computers is to make sure the nics and the video card drivers are on the latest. 

Searching.  Truly it makes a big difference.  In my experience it’s faster than the Windows Desktop search.

SMB 2.0.  The very thing that is causing some pain now, makes for extremely fast network speeds once a Windows 2008 server is connected.  Many of us right now are comparing the user experience of XP hanging off of a 2k3 box and that is indeed the optimal setting.  What most of us are not seeing is the experience when you hang a Vista off of a 2k8 box.  I have a 2k8 and a 2k3 member server and my goodness the speed difference.

Security (and no I’m not talking about UAC).  For those that wax poetically about Windows 2000, look at the risk of that platform with regards to patching it.  More often than not when there is a 2k vulnerability that matches an XP vulnerability, the XP can only be attacked from authenticated connections, the 2000 opens itself up to anything.  I really don’t think enough time has passed for us to get a good feel yet for the code review and SDL impact on Vista (Jeff Jones counts and all not withstanding). 

Group policy Settings.  You want to allow some kinds of USB devices and not others?  Not a problem.  Take a look at these links.  We do NOT use group policy like we should do and if you have clients worried about data walking out of their firm Vista has tons more granular policies for controlling USB devices.

http://technet2.microsoft.com/WindowsVista/en/library/a8366c42-6373-48cd-9d11-2510580e48171033.mspx?mfr=true

http://download.microsoft.com/download/c/3/8/c3815ed7-aee7-4435-802b-8e855d549154/GroupPolicySettingsforWindowsVista.xls

Specifies a list of Plug and Play hardware IDs and compatible IDs for devices that cannot be installed.

If you enable this setting, a device cannot be installed or updated if its hardware ID or compatible ID matches one in this list.

If you disable or do not configure this setting, new devices can be installed and existing devices can be updated, as permitted by other policy settings for device installation.

To locate the hardware IDs for a specific device, open the Device Manager, right click on the device that you are interested in and select the Properties command from the resulting shortcut menu. Upon doing so, you will see the device's properties sheet. Now, go to the properties sheet's Details tab and select Hardware IDs

NOTE: This policy setting takes precedence over any other policy settings that allow a device to be installed. If this policy setting prevents a device from being installed, the device cannot be installed or updated, even if it matches another policy setting that would allow installation of that device.

If this computer is a Terminal Server, then enabling this policy also affects redirection of the specified devices from a Terminal Services Client to this computer.

 

UAC

User Account Control

Yes that lovely thing everyone loves to bash.  First off in SBS 2008 the one tweak that I will go on record now as saying that I will not freak out one bit if you do is on the server, if you change the UAC to automatically elevate.  Why?  Because when you are on the server you should have your “I’m an admin, I should be careful now” mode. 

Run Regedit and navigate to
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
Change the value of ConsentPromptBehaviorAdmin from "2" to "0".

On a workstation, I would argue that the threats on the web mean that when Microsoft says “only surf on trusted web sites” is meaningless.  I don’t trust ANY web site anymore.  Sandi of the www.msmvps.com/blogs/spywaresucks blog talks about malvertisements where banner ads offer up malicious content.  Big sites like CNN.com, even Microsoft’s own Hotmail have been hit with these malicious advertisements.  I can’t trust ANY web site these days (which is another reason I’m looking at http://www.calyptix.com/index.php  as a unified threat management device solution). 

Do I want to turn that off on the workstation?  I would argue not.  It puts Vista into what we jokingly call the “untied string bikini mode” http://msmvps.com/blogs/bradley/archive/2008/02/08/keep-your-bikini-on.aspx , where something ‘could’ trick you into lowering your defenses.  But IF you do the “untied string bikini mode”, at least it leaves protected mode in place for Internet Explorer.  (not to mention you have to also regedit off the warning as well). 

It’s been my experience that the roughest/toughest part of Vista is the install of the applications.  Those particular apps that throw off the most UAC prompts… you should equate UAC prompts per application to “this vendor didn’t care about security when they wrote this”.  If you have an older LOB app that isn’t supported on Vista, then you have to make the call of going unsupported.  Of course if the app is really old, it’s probably unsupported on XP as well.  If you have a newer app and the vendor won’t support it, please push on the vendor to do so, and then virtualize the app, look at Terminal Server or opt for Vista Business with XP downgrade rights (and yes, OEMs will be selling this AFTER June 30). 

But think about doing the hacking the registry stuff that the PDF’s and handouts talk about.  As I can get workstations to only throw off UAC when they update. 

As long as my users have icons on the desktop for their applications, they don’t skip a beat and they absolutely LOVE the clock on the gadget bar.  But meanwhile I get the extra group policy settings, I get the advanced event viewer, I get the task manager, I get the local shadow copy.

I’ve just scratched the surface here and I’ll blog more on this, but Vista is a solid business value for me and my firm.

PDF attachments for the handouts given out at the session:

http://msmvps.com/files/folders/bradley/entry1618983.aspx

http://msmvps.com/files/folders/bradley/entry1618980.aspx

http://msmvps.com/files/folders/bradley/entry1618969.aspx

http://msmvps.com/files/folders/bradley/entry1618966.aspx

Video regarding group policy -- I sound a bit like Minnie Mouse but try it anyway.. http://www.sbslinks.com/sbsmigration/ITProConference.html